Better Health Pathways HUB Security Awareness Training

Better Health Pathways HUB sent you an email with a unique code to take the quiz. If you did not get the email check your spam. If you do not find it send us an email. Please use the email address we have on file for you. We will resend them to you.

You must score 70% or higher to pass the quiz. If you fail to pass, review the training material, then take the quiz again.

You can use notes to take the quiz. At the end of each section, there are things You Should Remember. This is important information you will need.

Health Insurance Portability and Accountability Act

Fines for a breach can be as much as fifty, thousand dollars. The most a breach can cost is one million, five hundred thousand dollars in one year.

It is important to make sure you are always HIPAA compliant. All HIPAA breaches are threats, some are more common than others.

What are the HIPAA Rules?

The Privacy Rule sets the standards for, among other things, who may have access to PHI.

The Security Rule sets the standards for those who should have access to Electronic Protected Health Information (ePHI).

The Minimum Necessary Standard prevents the sharing of too much information.

What is Protected Health Information (PHI)

PHI is personally identifiable (PII), electronic (ePHI) or physical health information. Past, current, and future health information is PHI.

PHI is information including:

  • Physical records
  • Electronic records
  • Spoken information

You Should Remember

  • Any identifiable health or personal information is PHI
  • Health records, health histories, lab test results, and medical bills are PHI. Health information is PHI!

Keeping Unsecured Records

Unsecured records can be read by people that are not allowed to see them. This creates a HIPAA violation.

Securing PHI records

  • Physical files must be locked in a desk, filing cabinet, or office.
  • Digital information requires a password.
  • Digital information must be encrypted.

You Should Remember

  • PHI must be stored in a secure location. Physical files must be locked in a desk, filing cabinet, or office.
  • Digital information requires a password.
  • Digital information must be encrypted.

Conversation in Public

General gossip or chit-chat by the water cooler can be harmless, but PHI is always off-limits. When talking to co-workers in public, there is no reason to discuss PHI.

Be careful with the information you share. When discussing PHI, always be aware of who may be listening. Keep conversations about PHI behind closed doors, and always with the minimum necessary standard.

You Should Remember

  • Discussing PHI is off-limits in public.
  • Only discuss PHI behind closed doors.
  • Uses the minimum necessary standard.

The HIPAA Privacy Rule and Right to Access a Family Member’s PHI

The Privacy Rule grants people the right to access their health records upon request.

They can allow anybody to see their PHI. They must request in writing, sign, and identify who can see their PHI.

Their family can have access to their PHI if they meet requirements based on tax laws. The family member must meet the qualifying child test or the qualifying relative test.

To meet the qualifying child test, they must be:

  • Younger than 19 years old at the end of the calendar year OR
  • A student younger than 24 years old at the end of the calendar year.
  • A permanently or disabled adult child does not have an age limit.
  • If the adult child meets the qualifying relative test there is no age limit.

To meet the qualifying relative test they must have:

  • Lived all year as a member of the taxpayer’s household OR
  • Be an adopted child, an in-law, step and grandchildren, siblings, grandparents, an aunt, uncle, niece, or nephew.
  • The dependent relative may not be the taxpayer's qualifying child.

Other tests based on tax laws are necessary for addition to these.

You Should Remember

  • All family members of the client do not have the right to access the client’s PHI.
  • The qualifying relative or qualifying child tests are based on state laws.
  • The person has the right to allow anybody to review their health records but must provide prior written authorization for the disclosure.

Proper Disposal of Paper Records

Protected Health Information (PHI) must be disposed of by shredding, burning, pulping, or pulverizing.

PHI left in a trash can or put in a dumpster can get into the hands of the wrong person. Disposing of PHI this way is a HIPAA violation.

PHI that is unreadable, indecipherable, and cannot be reconstructed, has been disposed of properly.

You Should Remember

  • Protected Health Information (PHI) must be disposed of by shredding, burning, pulping, or pulverizing
  • PHI left in a trash can or dumpster can get into the hands of the wrong person. This would be a HIPAA violation.
  • If you can reconstruct PHI then it has not been disposed of properly.

The use of Email, Texting, Fax, and Social Media

HIPAA requires safeguards when using messaging to send any type of PHI.

Emails and Texts to Clients. If the client requests the use of non-secured messaging, HIPAA allows that. They must sign a consent form to authorize it. If the client does not sign the consent form, the covered entity must use safeguards.

Warn the Client. Before unsecured messaging takes place, warn the client someone else can see their PHI. The client must give written consent for this before messaging begins.

Emails and Texts to Other CHWs. If you email or text PHI to a co-worker, encryption is mandatory.

Sending PHI via fax is not secure. To fax PHI, you must use the Fax number provided by the Pathways HUB and use a cover sheet. Another secure way to send PHI is by using the Pathways HUB secure portal.

Posting ANY Social Media. You cannot put anything anywhere on the web about a client. This would be a violation of the Privacy Rule and substantial fines will be issued.

You Should Remember

  • Warn the Client. Before unsecured messaging takes place, warn the client someone else can see their PHI. The client must give written consent for this before messaging begins.
  • Sending PHI via fax is not secure. You must use the fax number provided by Better Health Pathways HUB if you need to fax documents. If a fax machine is not available, contact your supervisor to send the document to the Better Health Pathways HUB secure portal.
  • Posting ANY client info on social media. You cannot put anything anywhere on the web about a client. This would be a violation of the Privacy Rule and substantial fines will be issued.

How to Securely Delete PHI on Electronic Devices

When you delete a file on any electronic device it appears to be gone. The device did not delete it, but just removed a marker pointing to it. The file is still there. The same thing happens when you format a hard drive.

When you put a piece of paper in a trash can you can pull it out if want it back. You have done the same with an electronic device. The file is still there. You never delete data, it must be removed.

You remove data from electronic devices by using special software to overwrite data with non-sensitive data, purging, or degaussing with a strong magnet, melting, incinerating, or shredding. Destroying the device is the recommended method if you do not need the equipment anymore.

You Should Remember

  • When you delete a file on any electronic device it appears to be gone. The device did not delete it, but just removed a marker pointing to it. The file is still there. The same thing happens when you format a hard drive.
  • When you put a piece of paper in a trash can you can pull it back out if want it back. You have done the same with an electronic device. The file is always there. You never delete data. You remove the marker or change it to point to the recycle bin.
  • Destroying the device is the recommended method of removing data if you do not need the equipment anymore.

How to Make your Passwords HIPAA Compliant

The enforcement of password rules from HIPAA is not strict. That is because businesses of different sizes do not have the same resources. Businesses must do their best to use commercially reasonable products to adhere to the rules.

Use at least 12 characters. Care Coordination Systems use this rule.

Avoid password hints. Giving hints like “my last name” or “my anniversary” is the same as giving your password away. Do not do it!

Create memorable passwords. You do not need to create complicated passwords. Use passphrases that you can easily remember. They must be unique and not easy to guess. This is more secure than writing your password on a sticky note and placing it on your computer.

Is the password easy to guess?

  • b1gfrankY – 12 Days to guess
  • ILoveLobster!58 – 4 Centuries to guess

Remembering a lot of hard passwords is impossible. It is easier to use common passwords, write them down or share them. Never do this and do not share your password with anyone - not even your supervisor or technical support! Remembering easy-to-remember passphrases is a lot easier.

You Should Remember

  • Use a minimum of 12 characters. Care Coordination Systems use this rule.
  • Create memorable passwords. You do not need to create complicated passwords. Use passphrases that you can easily remember. They must be unique and not easy to guess. This is more secure than writing your password on a sticky note and placing it on your computer.
  • Do not share your password with anyone - not even your supervisor or technical support!

How to Recognize Phishing

Scammers change the way they trick you all the time. There will always be clues that will help you recognize a Phishing Email or Spear Phishing Email.

An example of a phishing email may be "You won a million dollars! Click here to collect!

Spear Phishing Emails are based on how you surf the net. They may look like they're from a well-known business you know and trust. Both kinds of phishing emails have the same consequence, you clicked a link and the scammers now have your personal information. They may have the PHI of your clients!

We will consider both kinds of email as a phishing email

Phishing emails are there to trick you so they can steal

  • They may say if you don’t update your account, they will disable it.
  • It may come from a company you trust.
  • It says you must confirm some personal information.
  • It wants you to click on a link to change your account.
  • If you don't want something to happen to your account you do this now.

 

Phishing email example

phishing

Do you see their tricks?

  • This is from a company you know, carecoordinationsystems.us, but their address is .com, not. The US.
  • “Hi Dear,” They should know who you are if you need to change your password!
  • Do it NOW or your account will be disabled.

Ask yourself a question

You get an email that asks you to click on a link or open an attachment. Ask yourself: Do I know who this is from?

If the answer is "No," it could be a phishing scam. Do you see any of the signs? If you see them, delete them.

If the answer is “Yes,” contact the sender using a phone number or website, you know is real - do not use the contact information in the email! Attachments and links can steal from you.

If the email could be legitimate, but you are not sure, ask your supervisor or contact Better Health.

You Should Remember

  • An example of a phishing email may be "You won a million dollars! Click here to collect!"
  • Spear Phishing Emails are based on how you surf the net. They may look like they’re from a well-known business you know and trust. Both kinds of phishing emails have the same consequence, you clicked a link and the scammers now have your personal information. They may have the PHI of your clients!
  • If the email could be legitimate, but you are not sure, ask your supervisor or contact Better Health.

Loss or Theft of Devices

When you lose a device used to store PHI, there is a replacement cost. There could also be a HIPAA violation. Here are two incidents that had fines.

This violation occurred at the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).

In June 1996, there was a stolen iPhone that had PHI. The iPhone was not password protected or encrypted and anyone could look at the data on the iPhone. This exposed the PHI of 412 nursing home residents and their families. The fine was over $600,000.

A Medical Center in Rochester lost a laptop and flash drive that had PHI. A fine of $3 million was issued since there was no encryption.

Store devices with PHI in a secure location. Not doing this could result in the loss or theft of the device. If the device is not password protected or encrypted, the loss becomes even more severe.

Report a missing device that stores PHI immediately.

You Should Remember

  • A lost or stolen device that does not have a password, or encryption and has PHI will have significant fines.
  • You must report missing PHI immediately.

Storage Encryption – Data Encryption is Required

Encryption turns something you can read into something you cannot read.

You have a file that has the quick brown fox jumped over the lazy dog! in it.

If the file is not encrypted the hacker sees this:

quickbrownfox

What if this were PHI?

If the file is encrypted the hacker sees this:

encrypted

Encryption is a requirement for the Pathways HUB.

You Should Remember

  • Encryption is a requirement for the Pathways HUB.
  • Encryption is like your computer putting a lock on the data and it has the key. When you enter your password, the computer allows you to see the data, otherwise, you cannot.

Fraud, Waste or Abuse (FWA)

Tell your supervisor of any costs used on Federal Healthcare Programs that should not be. These costs could be Fraud, Waste, or Abuse (FWA).

Fraud means it is against the law to lie to get money or other things from the government. This can be criminal or civil.

You may not know you are doing anything wrong with Waste or Abuse. Waste is an unnecessary cost to Medicare. Most of the time Waste is a misuse of resources or using services more than needed. In some cases, it can be a criminal offense.

Anything charged to Medicare is Abuse if not needed. Even if you do or do not know you are doing anything wrong, it is Abuse.

Penalties for FWA depend on the violation. This includes Civil and Criminal penalties, loss of license, prison, or being banned from participation in federal healthcare programs.

If you think something is going on that should not be, report it to your supervisor. Everything reported will be private. If you report anything, we will review it. If it is true, we will address it immediately.

The simplest way to fight Fraud, Waste, and Abuse is to prevent it, detect it and correct it.

You Should Remember

  • Fraud means it is against the law to lie to get money or other things from the government. This can be criminal or civil.
  • Waste is an unnecessary cost to Medicare. Most of the time Waste is a misuse of resources or using services more than needed. In some cases, it can a criminal offense.
  • Anything charged to Medicare is Abuse if not needed. Even if you do or do not know you are doing anything wrong, it is Abuse.

HIPAA Breach Notification

Notify Health and Human Services within 60 days of a breach.

You must notify the public if required.

If you think there has been a potential breach, please contact the Pathways HUB Privacy Officer right away.

Take the Quiz

Contact Information

Better Health Partnership
2500 MetroHealth Drive
Cleveland, OH 44109
(216) 250-1077
info@betterhealthpartnership.org
© Copyright 2023 Better Health Partnership